Runlists with no runs are tolerated though not expected. However merging
such runlists is problematic as there is no significant vcn to examine.
So avoid merging them, and just return the other runlist.
A zero-size run is the universal way to indentify the end of a runlist,
so we must reject zero-sized runs when decompressing a runlist. A
zero-size data run is an error, and a zero-size hole is simply ignored.
When copying an attribute name which contains a null, it is truncated
and this may lead to accessing non-allocated bytes when relying on the
expected name length. Such (illegal) names must therefore be rejected.
Before reading a full attribute value for internal use, its expected
length has been checked to be < 0x40000. However the allocated size
in the runlist may be much bigger as a consequence of a bug or malice.
To prevent malloc'ing excessive size, restrict the size of the last
run to read to the needed length.
When copying an attribute name which contains a null, it is truncated
and this may lead to accessing non-allocated bytes when relying on the
expected name length. Such names must therefore be rejected.
When creating a new MFT record, the former seq_no and usn are retrieved
to avoid the new one to be mistaken for the former one.
This may not be possible when the record is used for the first time
or after some bad error. In such situation use default values.
The recent detection of a truncated attribute list entry overlooked the
normal detection of the end of list. Moreover the check for name
overflow is to be done later and not needed at this stage.
Allocating clusters to the main bitmap may imply updating the bitmap
itself within a cluster not yet allocated. This can turn into endless
recursions and has to be rejected. Currently the bitmap is assumed
to be fully allocated.
The count of free clusters may be updated while mounting before it
has been initialized, which may lead to irrelevant error messages.
Moreover the count is not computed at all in some ntfsprogs utilities.
So set up a flags to avoid outputting irrelevant errors.
Make sure the used part of an index block fits into the allocated buffer.
Note : a negative size may cause overflow on 32-bit cpus.
(contributed by Rakesh Pandit)
The standard size is 2560 bytes. It can be extended for specific purposes,
but its former limit to 32 bits was unreasonable. Anyway ntfs-3g is
not committed to support non-standard situations.
Checked that attributes are [non-]resident when they have to be, and
grouped consistency checks on each of them in a dedicated function.
Consequenly request the checks where needed and remove existing index
checks.
The standard information of the MFT must be its first attribute in the
base record. If it is not accessible initially, we end up searching it
in an extent before the MFT struct is ready for that.
The end of the attributes must be checked against the space in use
rather than the allocated space. This contributes to the safety of
subsequent attribute resizing.
Make sure the attribute designated to readall() has a reasonable size.
Apart from a bitmap, in a valid call, the attribute size is limited to
65536, and bitmaps are limited by the number of cluster.
When appending to an existing compressed file, the last block must first
be decompressed. When doing so, clear the tail of buffer in order to not
leak unrelated data.
Reject updating uninitialized MFTMirr because it leads to endless
recursions as updating the MFTMirr entry of MFT implies further updating
MFTMirr.
This is probably specific to ntfsfix, as mounts are normally rejected
when MFTMirr does not match MFT.
Make sure the attributes fully lie within the MFT record, and make sure
their variable components (name, runlist, value) fully lie within the
attribute.
The consistency check on the upcase size was laxist.
The unicode points are limited to 1048575 (20 bits), but there is no
provision to support code points beyond 65535.
In the current implementation the upcase size must be even and <= 131072.
Optionally record the special files (symlinks, fifos, sockets, character
and block devices) using reparse points instead of using Interix representation.
Doing so, the special files are interoperable with Windows Subsystem for
linux (WSL).
Windows traditionally rejected having both EA and reparse data assigned
to a file, but Windows 10 has dropped the constraint and it uses this
condition massively, so do the same. Note that pre-Windows 10 chkdsk.exe
removes the EA' on reparse points, potentially damaging more recent
volumes.
Jean-Pierre André
Jean-Pierre André